This is the most simple way (except for complete replacement) to inject something into existing files. You don’t have to worry about the file structure and the injected code can hardly break anything. The downside of this method is the injected code can be easily detected when a webmaster looks through the HTML code: file’s beginning and its end are the most prominent places.

That’s why a few days later hackers started to inject their iframes in the middle of existing HTML code where site owners can easily overlook them. To be more precise, they now inject the iframes right after the <body> tag.

Frequent updates

In this attack, hackers introduce new domain names for iframes every day. And every day they update injected code on compromised web sites so that the iframes always point to the most current malicious domain. This way they are always one step ahead of malware blacklists.

The bug

When they update the injected code, they remove old iframes and then insert new iframes. And it looks like their software that does this replacement is buggy.

On some site I started to notice that the end of HTML code was missing as if it had been truncated.

You can see here truncated Google Analytics code that webmasters usually place at the very bottom of HTML files.

I started to monitor infected pages. With every update of iframe code, some of them they became shorter and shorter.

It looks like when hackers moved the iframe code from the bottom to the middle, they started to remove N bytes at the end of files, where N is the length of the previous version of the iframe code. And now, that the iframes are always in the middle, they just forgot to remove the rules that truncate files.

Another hypothesis is they try to keep the original file size of infected files. So when they add N bytes to a file (by injecting an iframe), they also remove N bytes at the end of the file. But when they replace previous versions of iframes they forget to deduct the length of the iframe code they replace. This makes infected files shorter with every iframe update.

I should mention that not all infected files affected by this bug. It looks like this truncation is some edge case that hackers forgot to test. After all they don’t really care if they damage some sites. They just need a code that simply works most of the time.

To webmasters: It’s bad when your site is hacked. But it’s even worse when hackers damage your HTML files and you don’t have a backup copy to restore them. I know most of you regularly back up websites, but I also know that some webmasters don’t bother with backups and think that their files are safe online.